CVE-2025-29927
Description
Authorization Bypass in Next.js Middleware
In plain language
AI Act nowCVE-2025-29927 is a Next.js authorization bypass that lets an unauthenticated attacker access pages or actions your app intended to protect; if your business uses affected Next.js versions, you should fix it now because it’s extremely likely to be reachable and a public proof-of-concept exists.
CVE-2025-29927 is an authorization bypass in Next.js middleware that can be triggered by a remote, unauthenticated request to protected resources, allowing access that should be blocked by middleware checks; fixed in Next.js 12.3.5 and next 13.5.9.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:HIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.
View exploit detailsAttack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
2 techniquesReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2025-29927 and every CVE in our database. Create a free account — no credit card required.
Create Free Account